Security assessment of Dutch election software

Last month I started an independent security assessment on the software that totalizes votes in the upcoming Dutch elections on March 21, 2018. The software is called OSV (Ondersteunende Software Verkiezingen) and made by German company IVU Traffic Technologies AG. IVU was hired to do so by the Electoral Council (Kiesraad).

OSV program 4 and 5 (P4, P5) version 2.21.4 was in scope and researched in this security assessment. This is the official version that will be used in the Dutch elections that will be held on March 21, 2018. OSV P4 and P5 are responsible for totalizing the election outcome.

After completing the security review of OSV P4 and P5 and the processes around it, 47 security vulnerabilities were found in OSV and processes around it:

Independent IT security researchers and ethical hackers:
Ger Schinkel and John de Kroon.

Most important findings

1. Software decides who won the election and this output is fully trusted again
RTL News found out that the Electoral Council and municipalities silently trusted OSV output again and will use it to calculate who will win the upcoming elections on March 21, 2018. This renewed trust in OSV was not validated by an independent respectable cyber security firm. The Electoral Council did not hire Fox IT again in 2018 to check if all major security risks were properly solved in the new OSV version made by IVU.

After election day on March 22, 2018, civil servants from the central vote office of a municipality will enter vote totals from polling stations into OSV. OSV will totalize all vote totals per candidate and generate a PDF file that contains the election result that has to be printed (a N11 and O3 document). The printed election result becomes official and trusted ‘paper that is in the lead’. It will not be manually validated by civil servants as OSV is trusted to be unhackable again.

If someone hacks the OSV server, then this person can easily manipulate votes by changing votes stored in the OSV database and in the PDF files stored on the server that have to be printed.

2. OSV security has not been substantially improved in comparison with last year
If OSV output is trusted again, you would expect security to be significantly improved. And indeed, security improvements have been made. However, not enough. Last year on January 30, 2017 IT security researcher Sijmen Ruwhof published on his weblog a detailed technical analysis of all the weaknesses he found in OSV P4 and P5. A retest has been performed to see if the findings mentioned on the weblog were resolved in the latest version of OSV:

There are 25 open security risks after the retest (all unsolved and partly solved findings):

The retest shows that OSV security has not been substantially improved in comparison with last year.

3. OSV uses out-dated, deprecated and insecure technology from ten years ago
OSV has been developed in 2008 and has not changed a lot over the years. The OSV version used in the March 2018 election still uses very old and insecure (JBoss & Java) technology from 2008 and 2013, that misses many important security updates. These technologies are also not properly configured and hardened against hack attacks. An advanced hacker that has gained access to the offline OSV network of a municipality could break into the OSV server by exploiting unpatched security vulnerabilities. Once an adversary has gained access to the OSV server, votes can be easily changed without detection.

Professor IT security Herbert Bos from VU University Amsterdam also independently investigated the OSV source code. He came to the following conclusion: “The OSV source code is written very poorly. For that reason alone it should be abolished.”

4. Sophisticated or opportunistic attackers can influence election outcome probably unnoticed
Based on the all the 47 vulnerabilities found in OSV and processes around it, it is believed that hackers from foreign intelligence agencies can easily manipulate vote totals by hacking into the OSV server of a municipality. But election fraud may also come from much closer, for example from opportunistic or bribed system administrators working at municipalities that already have full access over the OSV server. As active security and fraude monitoring on OSV servers is missing, fraud will probably go undetected if done not too obviously and greedy.

5. Official vote reports from polling stations are not published on the internetCurrently it is up to each municipality to publish the vote totals of each polling station on their website. Some cities publish in their own format all the vote totals of a polling station, and others only publish the aggregated total votes in a municipality without details of all the vote totals of each polling station. Scans of each official paper polling station report (process-verbaal) are never uploaded to the internet. A digital export file of all the vote totals is generated by OSV. This file is in some cases converted to HTML by municipalities and published (partially) on their website.

The official polling station reports that contain all the vote totals of a municipality can only be looked at offline at the office of a municipality. This raises the bar significantly for citizens and polling station chairmans to validate if someone has tampered with the election outcome in the totalization process. If a concerned citizen wants to independently validate all the totalizing of votes himself in The Netherlands, he or she would have to visit each municipality and copy all the official reports from polling stations. This takes a lot of time. Elections should be completely verifiable with minimal effort by everyone that thinks election integrity is at risk.

Most important recommendations

1. Do not trust output from OSV again: use OSV to validate manually counted votes
History shows that exclusive manual aggregation of vote totals is error-prone, and exclusive digital aggregation of vote totals is vulnerable to manipulation by sophisticated attackers.

OSV can be useful however, even to strengthen the security of an election. All vote totals for each candidate from a political party should be manually totalized by the central vote office of a municipality. Afterwards, the vote totals as calculated by each independent polling station in a municipality should be entered into OSV. OSV should also totalize all vote totals and calculate who won the election. OSV output should be used to verify if the manual totalization is done properly and without mistakes.

Untrusting OSV and manually totalizing vote totals takes a couple more days to perform, but eliminates all the risks that our election can be hacked by manipulating vote totals. Waiting a couple more days on the election outcome is nothing compared to the impact if the election gets hacked. Official paper vote total reports of municipalities should be manually be filled in by civil servants based on the manual calculated vote totals. OSV prints should never be used as official documents anymore. The cyber security of OSV is of much less importance if its output is distrusted.

2. Complete transparency and easy access of official vote reports from polling stations
It is strongly advised to immediately scan all official vote total reports (processen-verbalen) from polling stations and upload them to a secure portal a couple of days after elections are held. This portal does not currently exist and should be developed by the Central Electoral council. This portal should also also publish all uploaded official vote totals reports on their website so people can independently review them.

In a reaction the Electoral Council states towards RTL News that: “A bill is being prepared in which all official reports from polling stations will be made public on the internet in the future.”. Good to hear this point is already being picked up!

Update December 5, 2018: Bill is approved!The Electoral Council announced that the bill is approved! All polling station reports will be scanned and published on websites of municipalities in the next election on March 20, 2019.

Conclusion

It is strongly and urgently recommended to not trust software output in determining who won an election. Software can be hacked undetectable on many level and stages. Even offline and air-gapped networks can be hacked with utmost precision, as shown in the news about the Stuxnet worm in 2010. Recent history has shown that intelligence agencies worldwide have breached the most well protected IT networks in the world with highly advanced and complex malware infrastructure.

OSV uses out-dated, deprecated and insecure technology from ten years ago. OSV security has not been substantially improved in comparison with last year. It is build by a software company that seem to have no clue about how to protect software against hackers and the cyber threat landscape of nowadays. Over 50 security weaknesses have been identified in only a couple of days. OSV’s security architecture is broken by design: it has major security flaws that can’t be fixed.

OSV should be used only to validate if manual totalizing vote totals is done properly and without any mistakes.

VU University Amsterdam

The department specialized in IT security (VUSec) from VU University Amsterdam was contacted to also look into the security of OSV and to validate this research. They also published a security analysis of OSV:

“[..] During our analysis, we focused (almost) exclusively on the code. A related and very readable security analysis by Sijmen Ruwhof that focuses more on the context and use. We agree with his findings and just report on the more technical issues that we discovered. The issues we found, combined with the security analysis by Sijmen Ruwhof are sufficient reason for us to conclude that we should not rely on this software for something that is so essential to the heart of a democratic state itself as the election results. [..] Software is inherently vulnerable and corruption and manipulation by attackers may have huge consequences for the trustworthiness of the election results, and, as a consequence, the trust voters may have in the democratic system. Do not gamble with the elections. Do not rely on software alone. [..]”

We analyzed the election support software used in Dutch elections (also those of next week). Conclusion: *many vulnerabities* in the software. https://t.co/VFdsoRWduh

Update March 14, 2018: Responsible minister responds to our research

The ministers ignores our research and continues trusting the output of the software, without manually validating it (!). This is very irresponsible and dangerous! Our elections will still be hack-able next week on Marche 21, 2018. Unbelievable.

Update March 20, 2018: RTL News update

“Extra manual due to controversial election software

Several municipalities will perform an extra manual validation of the municipal elections. Multiple municipalities such as Utrecht and Tilburg are responding to residents who are worried about the security of the election software with which votes are counted.

Ballots in the Netherlands are counted manually, but the results of the polling stations are counted in the town hall with special software. A week ago, RTL News revealed that the software that calculates the election results contains dozens of security vulnerabilities. This would allow malicious parties to manipulate with election results fairly easily and undetectable, experts say.

Caring about softwareAfter the broadcast, Utrecht invited one of the IT experts to the town hall, says Henk van Dijkhuizen, head of Public Affairs of the municipality, against RTL News. “He pointed out a missing link in the system: a manual check of the result, I share his concerns, if you rely too heavily on software, you can be disappointed.”

The municipality still uses the software to add up all the results of the various polling stations. But then a sample is also done. From three randomly selected political parties, all totals are summed up by hand. If the manual calculation equals that of the computer, it is virtually impossible that the leaks in the software have been misused.

Security researcher Sijmen Ruwhof thinks it is ‘a very nice solution’ for Utrecht. “A good compromise given the short time that is left. Verifying that our election isn’t hacked is now not solely depending on citizens to check the results in these municipalities.”

‘A lot of trouble with manually recounting’Last week it turned out that Minister Ollongren of Home Affairs had just abrogated the manual recount. It generated a lot of political commotion. She said that municipalities had ‘a lot of trouble’ with the previous elections.

But the municipality of Utrecht thinks that their way of manual verifying the election result is easy to do. “Moreover,” says Van Dijkhuizen, “if this increases the confidence in the elections, then we should just do this.”

Update March 21, 2018: Major of Rotterdam

Major Aboutaleb of Rotterdam doesn’t know that software calculates who will win the election in his municipality and doesn’t take it serious: